HAL Id: hal-00182180
https://hal.archives-ouvertes.fr/hal-00182180
Submitted on 30 Oct 2007
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
specifications
Boulbaba Ben Ammar, Mohamed Tahar Bhiri, Jeanine Souquières
To cite this version:
Boulbaba Ben Ammar, Mohamed Tahar Bhiri, Jeanine Souquières. Towards an incremental develop-
ment of UML specifications. 2007. �hal-00182180�
specifications
Boulbaba Ben Ammar
1,2, Mohamed Tahar Bhiri
2and Jeanine Souqui`eres
11
LORIA - Nancy University 615 rue du Jardin Botanique F-54602 Villers-l`es-Nancy, France
{Boulbaba.Ben-Ammar, Jeanine.Souqui`eres}@loria.fr
2
MIRACL Laboratory - Facult´e des Sciences de Sfax B. P. 802 - 3018, Sfax - Tunisia
tahar bhiri@yahoo.fr
Abstract. Specifying complex systems is a difficult task which can- not be done in one step. Step-by-step development processes have been studied using formal methods, based on refinement mechanisms. The re- finement is a key feature for incrementally developing more and more detailed models, preserving correctness in each step. Our purpose is to instantiate this process when using UML/OCL notations. We illustrate it by some development steps of an access control system. At each step, decisions are formalized in terms of different UML notations, making evolve an initial model which expresses the fundamental properties of the system. We show that these properties are preserved by each devel- opment step.
Key words: Step-by-step development process, UML, OCL, refinement, verification
1 Introduction
Specifying a complex system is a difficult task which cannot be done in one step. Step-by-step development processes have been largely studied in formal approaches, based on refinement mechanisms. Usually, two kinds of refinement are highlighted, horizontal refinements and vertical refinements. The horizontal refinement consists in introducing new viewpoints and new details in an existing model. Each introduction of details to a model leads to a new model which must be coherent with the previous one. If it is the case, we said that the second model refines the first one. The vertical refinement consists in going from an abstract model to a more concrete one, for example by reducing the indeterminism or by strengthening the guard or the postcondition of operations. The concrete model is a realization of the abstract model.
The concept of refinement is an important aspect in formal methods, such
as the B method [1] or Object Perfect Developer [6], with the verification of the
correctness: a refinement is correct if the properties of the abstract model are verified by the concrete model. This notion of refinement between two models, an abstract and a more concrete one, is formally defined and can be mathematically proven by support tools. Meanwhile, there is a lack of a methodological studies related to the incremental development of complex system using the refinement mechanisms [8].
An incremental development is natural and relevant. Nevertheless it is cur- rently difficult to use it with UML notations [12, 18]. Indeed, a rigorous definition of the refinement concept doesn’t exist in such notations.
The concept of refinement has been highlighted in several studies. In [19], rules are proposed to check the behavioral consistency between the behavior of objects life cycles. The specialization is defined as a refinement incremented by an extension. Claudia Pons and all. [13, 17, 14, 15] have developed a tool called E- Platero [16] which supports some refinement development of class diagrams. The E-Platero tool proposes a relation of refinement equivalent to the one proposed in Object-Z [7]. Shen and Low [9] propose refinement rules for the generalization and association relationships. These rules are described on the meta-model as stereotypes. In [5], the authors define a formal notion of refinement through uni- fication, explaining the concept of correspondence between specifications, known as conformance relationships.
The goal of this paper is to present an incremental development of an UML specification. We start with an abstract initial model. For each refinement step, we present the taken decisions and how we express them in terms of OCL nota- tion [11], UML class diagram and invariant on the global system. This develop- ment case study is widely inspired by Abrial [2].
In section 2, we present some development steps of the access control case study using the UML/OCL notations. In section 3, we present lessons learn from this development case study and how the refinement steps can be supported by refinement patterns. Section 4 concludes this paper and proposes different perspectives.
2 Access control case study: some development steps
The access control case study is in charge to control the access of authorized persons to different buildings [3]. The authorization should allow a person, con- trolled by the system, to enter into certain buildings, and not into others. The exit of a person of a building is also controlled by the system, in order to know at any moment who is inside a given building.
2.1 Initial specification
The main goal of the system is to control authorized persons to enter and leave
the buildings and to manage the dynamic situation of the presence of persons in
the buildings.
UML class diagram. A first class diagram corresponding to this description is presented in Fig. 1 in which:
1. the two classes, Person and Building represent the set of persons and the set of buildings,
2. the two associations represent the authorization and the situation relation- ship between Person and Building. The multiplicity of the association situa- tion expresses the fact that, at any moment, a person must be in at least one building. The parameter unique for the authorization association expresses the fact that this association cannot be modified.
Person
pass(b:Building)
Building
1 1..*
situation authorization {unique}
Fig. 1. Initial model
System properties. The authorizations can be defined as a set of possible couples (person, building), where each couple links a person to a building in which he is authorized to enter. This set of couples is expressed as a binary relation between Person and Building and formalized in OCL as presented in (1).
Context Person
−−the binairy relation is expressed by two nested iterations def :aut :Set(TupleType(p :Person, b :Building))=
Person ::allInstances→iterate(pr :Person ;
resultset :Set(TupleType(p :Person, b :Building))=Set{}|
pr.authorization→iterate(bt:Building;|resultset.including(tuple{pr,bt}))) (1)
Moreover, the system has to manage the dynamic situation of the persons inside the buildings. We introduce a new set, sit, linking each person to the building in which he is located (2):
Context Person
−−sit is a total function, expressed by one iteration def :sit :Set(TupleType(p :Person, b :Building))=
Person ::allInstances→iterate(pr :Person ;
resultset :Set(TypleType(p :Person, b :Building))=Set{}|
resultset.including(tuple{pr,pr.situation}))
(2)
Some important properties of the model are to be added:
– the set of persons is not empty,
– each person is authorized to enter into given buildings and not others, – the authorization is a permanent assignment,
– at any time, each person can only be in one building, – any person in a given building is authorized to be there.
These properties can be formalized as shown in (3).
Context Person
inv: Person ::allInstances→notEmpty() and self.authorization→size() > = 1
and self.authorization→forAll(b|self.authorization→isUnique(b)) and self.situation→size()= 1
and aut→includingAll(sit)
(3)
The property, the set of buildings is not empty, is expressed in (4).
Context Building
inv: Building ::allInstances→notEmpty() (4)
Method definition. At this level of abstraction, we can observe the method pass of the class Person which allows the entry of a person into a building. This event should be able to occur only if the person is authorized to be in the given building and if it is not already there (5).
Context Person :: pass(b : Building) pre: aut→includes(tuple{self,b})
and sit→excludes(tuple{self, b}) post: sit→including(tuple{self, b})
(5)
Conclusion. The invariant of the system is obtained by the conjunction of the invariant of each class of the class diagram, i.e. the invariant of Person (3) and Building (4). So, it is easy to prove that the unique observable method, pass, maintains these properties.
2.2 First refinement
A person can go from a building in which he is to another where he is authorized to enter if these two buildings are connected, i.e. the first one communicates with the second.
UML class diagram. This communication between buildings is expressed by
a navigable association named communication which links the buildings (see
Fig. 2).
Person
pass(b:Building)
Building
1 1..*
situation authorisation {unique}
communication *
Fig. 2. First refinement
System properties. The concept of communication between buildings is defined as a binary relation between buildings, com, as presented in (6).
Context Building
−−com describes a binary relation
def :com :Set(TupleType(b1 :Building, b2 :Building))=
Building ::allInstances→iterate(b1 :Building ;
resultset :Set(TupleType(b1 :Building, b2 :Building))=Set{}|
b1.communication→iterate(b2:Building ;|
resultset.including(tuple{b1,b2})))
(6)
A constraint stipulating that two buildings which communicate between each other must be necessarily distinct, has to be introduced (7).
Context Building
inv: −−in addition to the invariant (4) and self.communication→excludes(self)
(7)
Method definition. To satisfy this first refinement, we have to strengthen the guard of the method pass as presented in (8).
Context Person :: pass(b : Building) pre: aut→includes(tuple{self, b})
and self.situation.communication→includes(b) post: sit→including(tuple{self, b})
(8)
Safety properties. In the current state of the model, if a person is in the building b and has no authorization to be in any of the buildings which communicates with b, this person is blocked in b. Therefore, it is necessary to add a supplementary requirement saying that no person must remain blocked in a building.
This implies that each person p authorized to enter into the building b is
also authorized to go at least into another building c which communicates with
b. Thus, we define a new set of couples (p, b), autSeqcomInv (9), where p is au-
thorized to enter into c (aut→includes(tuple{p, c})), such that b communicates
with c (com→includes(tuple{b, c})). This relation is defined as a sequential com-
position of the relation aut and the inverse of the relation com, denoted comInv
(11). This relation is defined by the cartesian product of Person and Building, denoted personCartbuilding (10).
Context Person
−−sequential composition of aut and comInv
def :autSeqcomInv :Set(TupleType(p :Person, b :Building))=
personCartbuilding→iterate(tuple(x :Person, z :Building) ; resultset :Set(TupleType(p :Person, b :Building))=Set{}|
if Building ::allInstances→exists(y :Building|aut→includes(tuple{x,y}) and Building ::comInv→includes(tuple{y,z}))
then resultset.including(tuple{x,z}) endif )
(9)
Context Person
−−cartesian product of Person and Building
def :personCartbuilding :Set(TupleType(p :Person, b :Building))=
Person ::allInstances→iterate(pr :Person ;
resultset :Set(TupleType(p :Person, b :Building))=Set{}|
Building ::allInstances→iterate(bt :Building ;|
resultset.including(tuple{pr,bt})))
(10)
Context Building
−−relation inverse of com
def :comInv :Set(TupleType(b1 :Building,b2 :Building))=
Building ::allInstances→iterate(bt1 :Building ;
resultset :TupleType(b1 :Building, b2 :Building)=Set{}|
bt1.communication→iterate(bt2 :Building ;|
resultset.including(tuple{bt2,bt1})))
(11)
A new invariant has to be introduced in the class Person : Context Person
inv: −−in addition to the invariant (3) and autSeqcomInv→includesAll(aut)
(12)
Conclusion. The second definition of the method pass given in (8) refines the definition (5), because the action is identical in both cases and the guard of the second: aut→includes(tuple{self, b}) and self.situation.communication→ in- cludes(b), is clearly stronger than the first one: aut→includes(tuple{self,b}) and sit→excludes(tuple{self, b}).
In other words, if a person is in a building which communicates with b, then the building where this person finds himself is certainly different from b since b cannot communicate with itself; therefore the first condition holds.
2.3 Second refinement
A person can go from one building to another one via one-way doors. This leads
us to introduce the origin and destination buildings for each door. Each door is
equipped with two lights, a green one indicating that the person can enter the
building and a red light indicating that he cannot enter.
UML class diagram. It is modified as follows:
1. introduction of the class Door which represents the set of doors, with a set of methods,
2. introduction of two classes GreenLight and RedLight which represent the set of the green and red lights. As both are a component of the class Door, we introduce a composition relationship between them and the class Door, 3. introduction of two associations, origin and destination,
4. introduction of the association accepted which represents the person accepted at a door,
5. removal of communication, the recursive association among buildings. This association has been refined by the introduction of the one-way doors mod- eled by the class Door and the two associations origin and destination.
Person
pass(d:Door)
Building
1 1..*
situation authorization {unique}
Door
accept(p:Person) refuse(p:Person)
origin 1 1 destination
GreenLight etat::Boolean off_green()
RedLight etat::Boolean off_red() accepted
0..1
1 1